Introduction to Front-endBack-end Arrangements

Introduction to Front-end/Back-end Arrangements

By default, Exchange Server 2003 installs OWA and Outlook Mobile Access (OMA) in the Exchange organization. Although OWA and OMA can be used quite effectively internally within an organization to enable non-Windows-based clients to access Exchange mailboxes, their primary purpose is to allow users to access their Exchange mailboxes when away from the network. A typical example of a user using OWA might be a manager who is on vacation, but still needs to monitor his email daily to ensure that any items requiring his attention are taken care of promptly.

Given that the primary intended purpose of OWA (and OMA) is to provide Exchange mailbox access to users located outside of your protected internal network, some additional considerations must be given to creating and implementing a secure and highly available solution. Enter the concept of front-end/back-end Exchange servers. If you've ever worked with Network Load Balancing (NLB) or clustering, you are probably familiar with this concept. If not, a short introduction (with an emphasis on the Exchange specifics of the topic) is in order.

To learn more about NLB and clustering, be certain to read MCSE 70-293 Training Guide: Planning and Maintaining a Windows Server 2003 Network Infrastructure by Will Schmied and Rob Shimonski, Que Publishing, 2003.

Figure 6.23 depicts a sample front-end/back-end Exchange implementation designed to support only OWA using SSL-secured connections.

Notice on the external firewall that only port 443 is open HTTP over SSL. Inbound OWA client requests are passed to the front-end Exchange servers. These servers then communicate with the back-end Exchange servers, performing authentication of the user and making the user's mailbox available to them via OWA. Notice that several ports are open on the internal firewall. These ports are

• 53 Port 53 is used by the front-end server to resolve hostnames on the protected internal network through Domain Name System (DNS) queries.

• 80 Port 80 is used for the OWA traffic.

• 88 Port 88 is used for Kerberos authentication between the front-end server and the domain controllers located on the protected internal network.

• 135 Port 135 is used for Remote Procedure Call (RPC) to the global catalog servers and for service discovery.

• 389 Port 389 is used for Lightweight Directory Access Protocol (LDAP) communications to domain controllers on the protected internal network through DNS queries.

• 1024 65535 Ports 1024 65535 are used for RPC to the global catalog servers and for service discovery. In addition, port 3268 is used for LDAP communications to global catalog servers.

If you do not allow RPC ports to be open on the firewall separating the front-end and back-end Exchange servers, no client authentication can be performed on the front-end server; thus, these virtual servers need to allow anonymous access. Obviously, this is not a recommended configuration.

To further increase network security, you can implement IPSec secured communications between the front-end and back-end Exchange servers.